Skip to content

Encryption

FuryMesh provides robust end-to-end encryption to ensure your data remains private and secure throughout the transfer process.

Overview

Security is a core principle in FuryMesh's design. The encryption system provides:

  • End-to-End Encryption: Data is encrypted before leaving your device and decrypted only by the intended recipient
  • Key Management: Secure generation, storage, and exchange of encryption keys
  • Content Integrity: Verification that files haven't been tampered with during transfer
  • Forward Secrecy: Protection of past communications even if keys are compromised in the future

Encryption Architecture

FuryMesh uses a hybrid encryption approach combining the speed of symmetric encryption with the security of asymmetric encryption:

  1. Asymmetric Encryption (RSA-2048): Used for secure key exchange and authentication
  2. Symmetric Encryption (AES-256-GCM): Used for efficient encryption of file data
  3. Hash Functions (SHA-256): Used for data integrity verification

Key Management

Key Generation

When you first run FuryMesh, it generates:

  • An RSA key pair (public and private keys)
  • A unique node identifier derived from your public key

These keys are stored securely in your local configuration directory:

~/.furymesh/keys/
├── private_key.pem  # Your private key (keep secure!)
└── public_key.pem   # Your public key (shared with peers)

Key Exchange

Before transferring files, FuryMesh performs a secure key exchange:

  1. Peers authenticate each other using their RSA public keys
  2. A unique session key is generated for each file transfer
  3. The session key is encrypted with the recipient's public key
  4. Only the recipient can decrypt the session key using their private key

File Encryption Process

When sharing a file with encryption enabled:

  1. FuryMesh generates a random 256-bit AES key for the file
  2. The file is split into chunks and each chunk is encrypted with the AES key
  3. The AES key is encrypted with the recipient's public RSA key
  4. The encrypted chunks and encrypted AES key are transferred to the recipient
  5. The recipient decrypts the AES key using their private RSA key
  6. The recipient decrypts each chunk using the AES key
  7. The decrypted chunks are reassembled into the original file

Verification and Integrity

To ensure files aren't corrupted or tampered with:

  1. A SHA-256 hash is calculated for each chunk before encryption
  2. Hashes are transferred along with the encrypted data
  3. After decryption, the recipient recalculates the hash of each chunk
  4. If the hashes don't match, the chunk is rejected and requested again

Configuration Options

Encryption can be customized through several configuration options:

encryption:
  enabled: true                  # Enable/disable encryption
  keys_dir: ~/.furymesh/keys     # Directory for key storage
  rsa_key_size: 2048             # RSA key size in bits
  aes_key_size: 256              # AES key size in bits
  verify_peers: true             # Verify peer identities
  encrypt_metadata: true         # Encrypt file metadata

Performance Considerations

Encryption adds some overhead to file transfers:

  • CPU Usage: Encryption and decryption require computational resources
  • Transfer Size: Encrypted data includes additional headers and padding
  • Latency: Key exchange adds a small delay before transfers begin

However, FuryMesh is optimized to minimize this overhead:

  • Chunk-based encryption allows for parallel processing
  • Hardware acceleration is used when available
  • Only essential data is encrypted to maintain performance

Security Best Practices

To maximize security when using FuryMesh:

  1. Keep your private key secure: Never share your private key or expose it to untrusted applications
  2. Verify peer identities: Enable peer verification to prevent man-in-the-middle attacks
  3. Update regularly: Keep FuryMesh updated to benefit from security improvements
  4. Use strong passwords: If you encrypt your private key with a password, use a strong, unique password
  5. Back up your keys: Store a secure backup of your keys to avoid losing access to your encrypted files

Limitations

While FuryMesh's encryption is robust, users should be aware of certain limitations:

  • Encryption doesn't hide the fact that you're using FuryMesh
  • Metadata like transfer times and peer connections may still be visible to network observers
  • The security of your data depends on keeping your private key secure

By understanding these considerations, you can make informed decisions about how to use FuryMesh's encryption features effectively.